Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105.
The following versions were EOL at the time the CVE was created but are 
known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
                
            Metrics
Affected Vendors & Products
References
        History
                    Fri, 08 Aug 2025 12:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | 
Thu, 07 Aug 2025 11:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | 
Wed, 02 Jul 2025 18:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Apache Apache tomcat | |
| CPEs | cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* | |
| Vendors & Products | Apache Apache tomcat | 
Tue, 17 Jun 2025 14:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | cvssV3_1 
 
 | 
Mon, 16 Jun 2025 20:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| References |  | 
Mon, 16 Jun 2025 14:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | |
| Title | Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows | |
| Weaknesses | CWE-426 | |
| References |  | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: apache
Published: 2025-06-16T14:22:16.288Z
Updated: 2025-08-12T13:26:52.278Z
Reserved: 2025-06-02T08:34:46.719Z
Link: CVE-2025-49124
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-06-16T20:03:24.388Z
 NVD
                        NVD
                    Status : Modified
Published: 2025-06-16T15:15:24.707
Modified: 2025-08-08T12:15:28.617
Link: CVE-2025-49124
 Redhat
                        Redhat
                    No data.